Smartphones give passwords the finger

Liam Tung

Workers who need to access their work systems from their smartphone may soon be giving the finger to passwords as mobile biometrics gathers pace as a viable alternative for proving people are who they claim to be.

The new Samsung Galaxy S5 smartphone, left, with the Gear 2 smartwatch, centre, and Gear Fit fitness band. Samsung has added biometrics to its new flagship device. Photo: Reuters

At least that's what could happen if enterprise IT departments respond favourably to new methods that leverage a smartphone's inbuilt sensors, such as cameras, iPhone-like fingerprint scanners, skin sensors and other biometric proof of identity.

Analyst firm Gartner says enterprise will start using biometrics soon. With consumer-owned devices set to continue invading the workplace, it expects about 30 per cent of organisations will be using biometrics to manage access from mobile devices by 2017. Today biometrics is deployed by just 5 per cent.

Cost, privacy concerns, usability and inadequate technology have constrained its adoption for enterprise, but password and token fatigue will probably change that, according to Anne Robins, Gartner Australia's research director for identity and privacy strategies.

Advertisement

"People are becoming increasingly dissatisfied with managing large numbers of complex passwords or using other special-purpose hardware tokens," Robins told IT Pro. "This groundswell is a strong motivation for enterprises to look to mobile biometrics, especially for customers, where an improved user experience could be a commercial differentiator."

Apple introduced its TouchID last year, a fingerprint scanner under the home button of the iPhone 5s, which lets people unlock the device and authorise iTunes and App Store purchases. Third-party developers can't use the sensor for their own apps yet, ruling it out for enterprise authentication for now. Fingerprint scanners were previously used on the Motorola Atrix smartphone and some Windows Vista laptops.

Still, Apple set the ball rolling for biometric authentication, which mobile, biometrics and authentication vendors are aiming to push beyond passports and criminal databases.

"When Apple put out TouchID, it just made the technology very cool. And everyone wants to use it. That was a big boost that the industry needed," said Sebastien Taveau, chief evangelist at Synaptics.

Synaptics supplies the bulk of touchpads used in today's laptops but last week launched its answer to TouchID, called Natural ID, a sensor it is selling to Apple's rivals.

The sensor is designed around authentication protocols being developed by the Fast IDentity Online (FIDO) Alliance, led by Google, Microsoft, BlackBerry, Lenovo, PayPal, MasterCard, RSA and a host of smaller authentication vendors.

These protocols ensure biometric and other authentication credentials stay on the device – a move meant to address credentials being stored on central servers that are all too often pilfered by hackers.

"The password is broken. A centralised database of credentials is the worst thing that can happen for authentication but it is the best thing for hackers," said Taveau.

They'd need to work quickly. "In most instance the putrefaction process starts within 10 minutes of something being dead. And then in 30 minutes the stuff is dead," said Taveau.

Modern sensors look for "blanch", the medical term for the white marks that appear after applying pressure to skin. "If you start playing around with a dead finger, guess what? You don't have a blanch."

This week, Apple was joined by the world's largest smartphone maker Samsung, which included a similar sensor to TouchID on its new Android flagship, the Galaxy S5.

Its partnership with PayPal, one of the founding members of the FIDO Alliance, lets owners make payments on PayPal with a touch of the finger. The device only shares a unique encrypted key with PayPal that allows the payments firm to verify the identity of the customer, but doesn't store biometric information on PayPal's servers.

But they're just two examples of a cluster of new authentication methods emerging for password-free access to apps and devices. Another FIDO Alliance member, EyeVerify, uses a smartphone camera for "eye print" scanning.

They also hold promise as replacements to one-time codes from RSA's SecureID tokens. RSA last year acquired PassBan, a start-up that lets users lock down Android apps with a variety of techniques, including voice, face and location. Should RSA roll the technology into its own portfolio, biometrics will more than certainly be offered to enterprise.

Despite the growing interest in mobile biometrics, it remains an emerging technology. And, since it relies on the smartphone itself, it is exposed to the same malware threats, which could mean digital biometric credentials are stolen.

Google is advancing the FIDO Alliance's goals for better online authentication with an internal trial for a prototype one-time password token from Swedish manufacturer Yubico. It improves on existing tokens by not requiring users to type in a second code. Instead, after entering a simple PIN, a person only needs to tap the authentication device, which is physically connected to a laptop or wirelessly connected to a mobile device.

"By moving out the user credentials from a phone or computer that is connected to the internet, we minimise the risk of malware taking control over the user identity and device," Yubico's chief executive and founder, Stina Ehrensvard, told IT Pro.

Its token has also been taken up by Facebook, Australian cement giant Boral, the European Organisation for Nuclear Research, and the US Department of Defence.

For now, it seems a jump to a lower-hassle but equally secure two-factor authentication method is meeting enterprise needs sufficiently and demanding big investments in experimental authentication. But that could very well change in the not too distant future.